Please post in plain text and configure your mailer to wrap lines at an
appropriate length.
On Mon, 9 Aug 2004, Evan Sikorski wrote:
>
> What do I have to do to pass ipsec traffic through shorewall? I am not
> using ipsec to create a tunnel, I am using it in transport mode to
> encrypt communications between specific hosts on my LAN. when the
> firewall is clear''d traffic works perfectly and i am able to
communicate
> with the hosts i have setup ipsec on, however when i start shorewall i
> cannot communicate with those hosts anymore, i can ping them and receive
> a reply, but no longer can I ssh into them or other such services.
>
> I am passing ah and esp in my /etc/shorewall/rules file and they are no
> longer being shown in the firewall logs as being blocked, but i am still
> having the same problem with being unable to connect to the other lan
> machines unless the firewall is cleared.
>
You will also need UDP port 500 AND you need to configure rules for the
traffic that you want to exchange (like ssh).
> I cannot find any docs on the shorewall site either that have anything
> to do with *transport* mode, all I can find is docs for *tunnel* mode,
> which I am not using.
>
I would think that transport mode to a zone should be configured in
Shorewall just like you would configure Roadwarrior tunnel-mode access to
that zone.
> If you need to see any configurations just let me now.
Given that the IPSEC implementation totally changed in the 2.6 kernels,
it''s always good to know if you are using 2.4 or 2.6. If you are
running
2.6, you are out of luck unless you are brave enough to try the IPSEC
support I just released in 2.1.3.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net